CN112035334A - Abnormal equipment detection method and device, storage medium and electronic equipment - Google Patents

Abnormal equipment detection method and device, storage medium and electronic equipment Download PDF

Info

Publication number
CN112035334A
CN112035334A CN202010968051.9A CN202010968051A CN112035334A CN 112035334 A CN112035334 A CN 112035334A CN 202010968051 A CN202010968051 A CN 202010968051A CN 112035334 A CN112035334 A CN 112035334A
Authority
CN
China
Prior art keywords
abnormal
matrix
equipment
devices
propagation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010968051.9A
Other languages
Chinese (zh)
Other versions
CN112035334B (en
Inventor
唐煜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Oppo Mobile Telecommunications Corp Ltd
Shenzhen Huantai Technology Co Ltd
Original Assignee
Guangdong Oppo Mobile Telecommunications Corp Ltd
Shenzhen Huantai Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Oppo Mobile Telecommunications Corp Ltd, Shenzhen Huantai Technology Co Ltd filed Critical Guangdong Oppo Mobile Telecommunications Corp Ltd
Priority to CN202010968051.9A priority Critical patent/CN112035334B/en
Publication of CN112035334A publication Critical patent/CN112035334A/en
Application granted granted Critical
Publication of CN112035334B publication Critical patent/CN112035334B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3438Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment monitoring of user actions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Alarm Systems (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The disclosure provides an abnormal device detection method, an abnormal device detection device, a computer readable storage medium and an electronic device, and relates to the technical field of computers. The abnormal equipment detection method comprises the following steps: acquiring detected abnormal equipment and associated equipment of the abnormal equipment; generating a corresponding Laplace matrix according to the incidence relation between the abnormal equipment and the associated equipment and the incidence relation between the associated equipment; and improving the Laplace matrix through an identity matrix to obtain a propagation matrix, and detecting abnormal equipment in the associated equipment based on the propagation matrix. The method and the device can detect the abnormal devices in all the devices related to the abnormal devices based on the improved Laplace matrix, and further can achieve the effect that the abnormal detection of other devices can be completed according to a small number of abnormal devices.

Description

Abnormal equipment detection method and device, storage medium and electronic equipment
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to an abnormal device detection method, an abnormal device detection apparatus, a computer-readable storage medium, and an electronic device.
Background
With the continuous development of computer technology, network communication becomes an important means for people to communicate in daily life, and users can complete various daily activities such as information interaction with other people, information acquisition, leisure and entertainment and the like through user equipment connected to the network.
However, the user equipment may be grasped by an illegal party for various reasons and used for various abnormal operations to become an abnormal device. The existence of these abnormal devices brings huge danger to network security, disturbs normal network order, and brings various unnecessary losses. The existing method for detecting abnormal equipment has the problems that a large amount of training data is needed, illegal molecules are easy to bypass, and the like.
Disclosure of Invention
The present disclosure provides an abnormal device detection method, an abnormal device detection apparatus, a computer-readable storage medium, and an electronic device, which can achieve, at least to a certain extent, the completion of abnormal detection of other devices according to a small number of abnormal devices.
According to a first aspect of the present disclosure, there is provided an abnormal device detection method including: acquiring the detected abnormal equipment and all associated equipment associated with the abnormal equipment; generating a corresponding Laplace matrix according to the incidence relation between the abnormal equipment and the associated equipment and the incidence relation between the associated equipment; and improving the generated Laplace matrix through the identity matrix to obtain a propagation matrix, and detecting abnormal equipment in the related equipment based on the propagation matrix.
According to a second aspect of the present disclosure, there is provided an abnormal device detection apparatus including: the relation acquisition module is used for acquiring the detected abnormal equipment and all associated equipment associated with the abnormal equipment; a matrix generation module, configured to generate a corresponding laplacian matrix according to an association relationship between the abnormal device and the associated device and an association relationship between the associated devices; and the equipment detection module is used for improving the generated Laplace matrix through the identity matrix to obtain a propagation matrix and detecting abnormal equipment in the related equipment based on the propagation matrix.
According to a third aspect of the present disclosure, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the above-described abnormal apparatus detection method.
According to a fourth aspect of the present disclosure, there is provided an electronic device comprising: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the above-described abnormal device detection method via execution of the executable instructions.
The technical scheme of the disclosure has the following beneficial effects:
according to the abnormal equipment detection method, the abnormal equipment detection device, the computer readable storage medium and the electronic equipment, acquiring the detected abnormal equipment and all associated equipment associated with the abnormal equipment; generating a corresponding Laplace matrix according to the incidence relation between the abnormal equipment and the associated equipment and the incidence relation between the associated equipment; and improving the generated Laplace matrix through the identity matrix to obtain a propagation matrix, and detecting abnormal equipment in the related equipment based on the propagation matrix. On one hand, the example embodiment can perform abnormality detection on all devices related to the detected abnormal device, and improves the problem that the abnormal device avoids abnormality detection by simulating the behavior of a normal device. On the other hand, the laplacian matrix is also improved by the identity matrix in the present exemplary embodiment, so that in the detection process, the situation that the more the associated devices are, the more dangerous the associated devices are is considered, and the accuracy of abnormal device detection is improved. Meanwhile, according to the embodiment of the invention, a large number of training samples are not needed, all the related abnormal devices can be detected according to a small number of abnormal devices, and the collection of the characteristic data is not required to be adjusted according to the service change, so that the detection process is simplified, and the detection complexity is reduced.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty.
FIG. 1 shows a schematic diagram of a system architecture of the present exemplary embodiment;
fig. 2 shows a schematic diagram of an electronic device of the present exemplary embodiment;
fig. 3 shows a flowchart of an abnormal device detection method of the present exemplary embodiment;
FIG. 4 illustrates a schematic diagram of a process of depth traversal of a specific embodiment of the present exemplary embodiment;
FIG. 5 illustrates a schematic diagram of a process of depth traversal of a specific embodiment of the present exemplary embodiment;
FIG. 6 is a diagram illustrating the results of a depth traversal of a specific embodiment of the present exemplary embodiment;
fig. 7 is a schematic diagram illustrating an association relationship between an abnormal device and an associated device in a specific example of the present exemplary embodiment;
FIG. 8 shows a flow chart of a tag propagation algorithm of the present exemplary embodiment;
FIG. 9 shows a diagram of the results of the tag propagation algorithm for a specific example of the present exemplary embodiment;
FIG. 10 is a diagram illustrating the results of a tag propagation algorithm for a specific example of the present exemplary embodiment;
fig. 11 shows a block diagram of a structure of an abnormal device detecting apparatus of the present exemplary embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and the like. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present disclosure.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
In the related art, abnormal devices can be detected by the following three methods:
the first method is a detection method based on empirical knowledge. The method is mainly based on the full understanding of specific services, the characteristics and rules to be detected are artificially defined according to the existing experience and knowledge, certain scores or threshold values are set for the corresponding rules, and the scores corresponding to the rules are calculated. And judging whether the user equipment is abnormal or not by judging whether the actual peak value exceeds a specified threshold value or not. However, this method has the following problems: the above threshold is empirically given, abnormal devices below or near the threshold are extremely easy to bypass detection, and maintenance rules require a large cost.
The second method is a supervised classification method. The method includes the steps of obtaining a sample of abnormal equipment and normal equipment in advance, constructing characteristics of a user, identifying and learning distribution of the characteristics through a supervised classification model, and generating a classifier. And finally, identifying the equipment to be verified by calling the classifier. However, a large amount of data collection and marking work is required for supervised classification, the feature collection also needs to be changed according to the service requirement, and meanwhile, the model parameters also need to be adjusted according to the change of the black/gray production strategy, so that the complexity is great from training to online. Meanwhile, in supervised classification, the classification result is often unexplained, and it is not clear why the device is regarded as an abnormal device.
The third method is unsupervised clustering and anomaly detection algorithm. According to the method, the user data does not need to be marked in advance, the characteristics are directly constructed, then unsupervised clustering or an abnormal detection algorithm is used for classifying the user data, and normal equipment is classified into one type or abnormal equipment is classified into one type. However, the unsupervised classification generally performs abnormal equipment detection in the idea of "things-by-things and people-by-groups". Therefore, the abnormal device can easily bypass the detection by simulating the behavior of the normal device. Meanwhile, the detection accuracy of the abnormal equipment cannot be guaranteed.
In order to solve the problems in the above methods, the present exemplary embodiment provides an abnormal device detection method, an abnormal device detection apparatus, a computer-readable storage medium, and an electronic device, which can implement abnormal detection of other devices according to a small number of abnormal devices. The abnormal device detection method, the abnormal device detection apparatus, the computer-readable storage medium, and the electronic device will be described in detail below:
fig. 1 shows a schematic diagram of a system architecture of an exemplary embodiment of the present disclosure. As shown in fig. 1, the system architecture 100 may include: terminal 110, network 120, and server 130. The user terminal 110 may be various electronic devices connected to a network, which can perform various daily activities such as information interaction, data acquisition, entertainment, and the like, including but not limited to a mobile phone, a tablet computer, a digital camera, a personal computer, and the like. The medium used by network 120 to provide communications links between terminals 110 and server 130 may include various connection types, such as wired, wireless communications links, or fiber optic cables. It should be understood that the number of terminals, networks, and servers in fig. 1 are merely illustrative. There may be any number of terminals, networks, and servers, as desired for an implementation. For example, the server 130 may be a server cluster composed of a plurality of servers, and the like.
The abnormal device detection method provided by the embodiment of the present disclosure may be executed by the terminal 110 and the server 130 together, for example, the server 130 may detect the terminal 110, obtain a detected abnormal terminal, and search out all terminals associated with the terminal based on the abnormal terminal; then, generating a corresponding Laplace matrix according to the incidence relation among the devices (the devices comprise abnormal devices and searched incidence devices); and improving the Laplace matrix through the identity matrix to obtain a propagation matrix, and detecting abnormal equipment in the related equipment based on the propagation matrix.
An exemplary embodiment of the present disclosure provides an electronic device for implementing an abnormal device detection method, which may be the terminal 110 or the server 130 in fig. 1. The electronic device comprises at least a processor and a memory for storing executable instructions of the processor, the processor being configured to perform the abnormal device detection method via execution of the executable instructions.
The electronic device may be implemented in various forms, and may include, for example, a mobile device such as a mobile phone, a tablet computer, a notebook computer, a Personal Digital Assistant (PDA), a navigation device, a wearable device, an unmanned aerial vehicle, and a stationary device such as a desktop computer and a smart television.
The following takes the mobile terminal 200 in fig. 2 as an example, and exemplifies the configuration of the electronic device. It will be appreciated by those skilled in the art that the configuration of figure 2 can also be applied to fixed type devices, in addition to components specifically intended for mobile purposes. In other embodiments, mobile terminal 200 may include more or fewer components than shown, or some components may be combined, some components may be split, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware. The interfacing relationship between the components is only schematically illustrated and does not constitute a structural limitation of the mobile terminal 200. In other embodiments, the mobile terminal 200 may also interface differently than shown in fig. 2, or a combination of multiple interfaces.
As shown in fig. 2, the mobile terminal 200 may specifically include: the mobile phone includes a processor 210, an internal memory 221, an external memory interface 222, a USB interface 230, a charging management module 240, a power management module 241, a battery 242, an antenna 1, an antenna 2, a mobile communication module 250, a wireless communication module 260, an audio module 270, a speaker 271, a microphone 272, a microphone 273, an earphone interface 274, a sensor module 280, a display screen 290, a camera module 291, an indicator 292, a motor 293, keys 294, a user identification module card interface 295, and the like.
Processor 210 may include one or more processing units. The different processing units may be separate devices or may be integrated into one or more processors.
In some implementations, the processor 210 may include one or more interfaces. Connections are made with other components of mobile terminal 200 through different interfaces.
The USB interface 230 is an interface conforming to the USB standard specification, and can be used to connect a charger to charge the mobile terminal 200, and can also be used to connect other electronic devices.
The charge management module 240 is configured to receive a charging input from a charger. The charging management module 240 may also supply power to the device through the power management module 241 while charging the battery 242.
The power management module 241 is used for connecting the battery 242, the charging management module 240 and the processor 210. The power management module 241 receives input from the battery 242 and/or the charge management module 240, supplies power to various portions of the mobile terminal 200, and may also be used to monitor the status of the battery.
The wireless communication function of the mobile terminal 200 may be implemented by the antenna 1, the antenna 2, the mobile communication module 250, the wireless communication module 260, a modem processor, a baseband processor, and the like.
The antennas 1 and 2 are used for transmitting and receiving electromagnetic wave signals. The mobile communication module 250 may provide a solution including 2G/3G/4G/5G wireless communication applied on the mobile terminal 200.
The wireless communication module 260 may provide a wireless communication solution applied to the mobile terminal 200. The wireless communication module 260 may be one or more devices integrating at least one communication processing module. The wireless communication module 260 receives electromagnetic waves via the antenna 2, performs frequency modulation and filtering processing on electromagnetic wave signals, and transmits the processed signals to the processor 210. The wireless communication module 260 may also receive a signal to be transmitted from the processor 210, frequency-modulate and amplify the signal, and convert the signal into electromagnetic waves via the antenna 2 to radiate the electromagnetic waves.
In some embodiments, antenna 1 of the mobile terminal 200 is coupled to the mobile communication module 250 and antenna 2 is coupled to the wireless communication module 260, such that the mobile terminal 200 can communicate with networks and other devices through wireless communication techniques.
The mobile terminal 200 implements a display function through the GPU, the display screen 290, the application processor, and the like. Processor 210 may include one or more GPUs that execute program instructions to generate or alter display information. Mobile terminal 200 may include one or more display screens 290.
The external memory interface 222 may be used to connect an external memory card to enable expansion of the memory capabilities of the mobile terminal 200.
Internal memory 221 may be used to store computer-executable program code, including instructions. The internal memory 221 may include a program storage area and a data storage area. Wherein the storage program area may store an operating system, an application program required for at least one function, and the like. The storage data area may store data created during use of the mobile terminal 200, and the like. The processor 210 executes various functional applications of the mobile terminal 200 and data processing by executing instructions stored in the internal memory 221 and/or instructions stored in a memory provided in the processor.
The mobile terminal 200 may implement an audio function through the audio module 270, the speaker 271, the receiver 272, the microphone 273, the earphone interface 274, the application processor, and the like.
The sensor module 280 may include a touch sensor 2801, a pressure sensor 2802, a gyro sensor 2803, a barometric pressure sensor 2804, and the like. In addition, sensors with other functions can be arranged in the sensor module 280 according to actual needs.
The abnormal device detection method and the abnormal device detection apparatus according to the exemplary embodiments of the present disclosure will be specifically described below.
Fig. 3 shows a flow of an abnormal device detection method in the present exemplary embodiment, including the following steps S310 to S330:
step S310, acquiring the detected abnormal device and the associated device of the abnormal device.
In the present exemplary embodiment, the above-described abnormal device refers to a device used for performing an abnormal operation. For example, a normal electronic device in the network becomes an abnormal device after information is leaked and mastered by an illegal party. For example, a second-hand device which is collected at low cost in bulk by illicit molecules and used for pursuing actions such as privacy profit, market destruction, and the like is also an abnormal device. In addition, other devices meeting the above definition, which may be used by illegal persons for abnormal operations such as fraud, irrigation, raising numbers, malicious comments, pulling wool, etc., also belong to the protection scope of the abnormal device in the present exemplary embodiment.
The associated device refers to another electronic device associated with the abnormal device. For example, the associated device may be another device connected to the abnormal device through a medium such as a network, or may be another device associated with the abnormal device based on the environment identifier. The environment identifier may be a device account, such as a Single Sign On (SSO) account, or an IP (Internet Protocol) address. In addition, the associated device may also be another device that has an association with the abnormal device, which meets the above definition, and this exemplary embodiment is not particularly limited in this respect.
Through the association relationship between the abnormal equipment and the associated equipment, after the illegal person controls the abnormal equipment, the associated equipment of the abnormal equipment can be further utilized to perform abnormal behaviors, and the utilized associated equipment becomes the abnormal equipment. In order to detect all the abnormal devices in the associated devices associated with the abnormal device, the abnormal device detection method according to the present exemplary embodiment further needs to search all the associated devices associated with the abnormal device after acquiring the detected abnormal device. The process of searching all the associated devices may be: and acquiring the environment identifier of the detected abnormal equipment, and searching all associated equipment associated with the abnormal equipment according to the environment identifier. Taking a certain service system as an example, the server may detect the states of all electronic devices in the service system, and when one or more devices are detected to be abnormal devices, the server may obtain the SSO ID or IP address of the abnormal device, and search out all devices related to the abnormal device according to the association of ssoids or IPs between the devices.
The searching process can be completed by adopting a depth traversal algorithm. Taking the detected device 3 as an abnormal device as an example, the specific steps of the search process of the deep traversal may be as follows:
(1) starting a depth traversal process by taking the abnormal equipment 3 as a vertex;
(2) the first non-accessed neighboring device connected to the abnormal device 3 is queried via ssoid or ip. Meanwhile, the adjacent equipment is used as a new vertex, and the step is repeated until the equipment which is just visited has no adjacent equipment which is not visited; for example, taking the first non-visited neighboring device queried as the device 5 as an example, as shown in fig. 4, after querying the device 5, taking the device 5 as a new vertex, assuming that the non-visited neighboring device of the queried device 5 is the device 7, taking the device 7 as a new vertex, but since the device 7 does not have a non-visited neighboring device, entering step (3);
(3) and returning the previous accessed device with the non-accessed adjacent device to find the next non-accessed adjacent device of the vertex corresponding to the device. As shown in fig. 5, device 7 has no non-accessed neighboring device, return to device 5, access device 5 next non-accessed neighboring device 6;
(4) and (4) repeating the step (2) and the step (3) until no new equipment is added. For example, when device 6 is searched for a new vertex until device 6 has no non-accessed neighboring devices, device 5 is returned and device 5 is accessed for the next non-accessed neighboring device 4. And (3) repeating the step (2) and the step (3) until all the devices in the system are traversed, as shown in fig. 6, wherein the devices associated with the abnormal device 3 are obtained through a depth traversal algorithm and comprise the devices 1 to 7. After the traversal using the device 3 as a starting point is completed, the devices 8 and 9 that have not been accessed in the system may be traversed using the device 8 and 9 as new starting points until the traversal of all the devices in the system is completed.
It should be noted that the above scenario is only an exemplary illustration, and other methods for searching for the associated device besides the deep traversal also belong to the scope of protection of the present exemplary embodiment.
Step S320, generating a corresponding laplacian matrix according to the association relationship between the abnormal device and the associated device and the association relationship between the associated devices.
In this exemplary embodiment, after obtaining the abnormal device and all the associated devices with the abnormal device, a corresponding laplacian matrix may be generated according to the association relationship between the abnormal device and the associated devices and the association relationship between the associated devices, so as to perform a subsequent abnormal detection process on the associated devices based on the laplacian matrix.
Taking the correlation as the environment identifier for correlating the abnormal device and the correlated device as an example, the process of generating the laplacian matrix may be: calculating to obtain an adjacent matrix corresponding to the abnormal equipment and the associated equipment and a degree matrix of the adjacent matrix according to the association relationship between the abnormal equipment and the associated equipment and the association relationship between the associated equipment; and generating a Laplace matrix based on the adjacent matrix and the degree matrix.
Taking the abnormal device as the device 3 as an example, as shown in fig. 7, the device 3 is a detected abnormal device, and all the related devices of the device 3 in the system, including the device 1 to the device 7, are searched through step S310. In fig. 7, the vertices represent devices, and the vertices corresponding to the devices having an association relationship are connected by lines, for example, the devices sharing the same ssoid may be connected by a connecting line, which represents that the account environments in the business are the same. And generating an adjacency matrix A according to the vertex (representing the device) and the connecting line (representing the association relationship, such as ssoid or ip connection) between the vertices in the graph 7 obtained by traversing search.
According to the association relationship between each device 1 to 7 in fig. 7, the specific process of generating the adjacency matrix a is as follows: and generating a matrix with 7 rows and 7 columns, wherein the rows and the columns of the matrix represent corresponding equipment, element values in the matrix represent the association relationship between the equipment, if the two equipment represented by the rows and the columns have direct association relationship, the element value of the corresponding position is set to be 1, and if no direct association relationship exists, the element value of the corresponding position is set to be 0. For example, if the first row of the matrix represents the association between the device 1 and other devices, i.e. if the first row is directly connected by a line segment in fig. 7, and the first column also represents the association between the device 1 and other devices, and the values of the other rows and columns of the matrix can be obtained similarly, the adjacency matrix a corresponding to fig. 7 can be calculated:
Figure BDA0002683059840000101
after the adjacency matrix a is obtained, the degree matrix corresponding to the adjacency matrix needs to be calculated, so that the laplacian matrix can be calculated. The process of calculating the degree matrix may be as follows: setting the element value on the diagonal line of the adjacent matrix A obtained by the calculation as 1, setting the element value of the corresponding position where two devices represented by rows and columns in the matrix have direct association relation as 1, and setting the elements of other positions as 0; adding the elements of the adjacency matrix a to the diagonal may result in a degree matrix D of the adjacency matrix a:
Figure BDA0002683059840000102
the element values in the diagonal of the matrix represent the number of devices directly associated with each device, for example, the element values in the direction from top left to bottom right on the diagonal are respectively 2,2,6,3,5,3,2, the number of devices directly associated with the devices 1 to 7 is sequentially 2,2,6,3,5,3,2, taking the device 3 as an example, the total number of devices 1 to 6 directly associated with the device is six, and the device 7 is indirectly associated with the device through the device.
After obtaining the adjacency matrix a and the degree matrix D corresponding to the adjacency matrix, the laplacian matrix may be calculated in the following three ways:
Figure BDA0002683059840000111
L=D-A L=I-D-1A
wherein I is a unit diagonal matrix. It should be noted that the above scenario is only an exemplary illustration of the process of generating the laplacian matrix, and the scope of protection of the present exemplary embodiment is not limited thereto.
Step S330, the generated laplacian matrix is improved by the identity matrix to obtain a propagation matrix, and the abnormal device in the related device is detected based on the propagation matrix.
The laplacian matrix generated in step S320 considers only the degrees of the adjacent vertices when representing the relationship between the vertices, and does not consider the security of the degrees. In business safety, the more the vertex is, the higher the risk of the vertex is. As in fig. 7, the degree of the device 5 is 4, which means that there are 4 devices that have a direct association with the device 5, such as may have the same ssoid, and should have a higher risk, while the closest association with the device 3 based on the laplacian matrix described above is the device 1, but the device 1 has only one ssoid, and most likely its ssoid is stolen by the user of the device 3, and therefore has an association with the device 3, and the risk should be lowest instead. That is, the result of abnormality detection of the associated device based on the laplacian matrix obtained in step S320 is inaccurate.
In order to obtain a more accurate detection result,in the present exemplary embodiment, the laplacian matrix is improved by combining the characteristic that the vertex with a higher consideration degree has a higher risk degree, so as to obtain the propagation matrix T. Regularized Laplace matrix corresponding to the Laplace matrix described above is improved
Figure BDA0002683059840000112
The following can be achieved: replacing the unit diagonal matrix in the regularized Laplace with a unit matrix, and right-multiplying the adjacent matrix to obtain a propagation matrix
Figure BDA0002683059840000113
Taking the above device 3 as an example of an abnormal device, the above process is to replace the unit diagonal matrix in the regularized laplacian matrix with a full 1 unit matrix with seven rows and seven columns to obtain a propagation matrix:
Figure BDA0002683059840000114
after the propagation matrix is obtained, all the associated devices of the abnormal device may be detected based on the propagation matrix, so as to obtain the abnormal device in the associated devices. For example, the process may be implemented based on a tag propagation algorithm, and the specific implementation may be as follows: and acquiring the similarity among the devices according to the propagation matrix, and detecting abnormal devices in the associated devices through a label propagation algorithm based on the similarity.
The label propagation algorithm, as shown in fig. 8, may include the following steps:
step S810: and setting parameters m, n and d of a label propagation algorithm. Wherein m represents the correlation number of label propagation, n represents the maximum propagation layer number of label propagation, and d represents the threshold value in the label propagation process.
Step S820: and traversing abnormal equipment in the propagation matrix, and taking the initial equipment as an initial value and marking the initial equipment as List _ imei.
Step S830: and comparing the current propagation layer number i with the size of n, and skipping to the step S840 when the current propagation layer number i is smaller than n, otherwise skipping to the step S890.
Step S840: traversing the List _ imei, and marking the maximum m values of the rows in which the devices are positioned, except the diagonal lines, as D [ m ].
Step S850: traverse D [ m ] and compare the value therein to D. If D [ j ] is greater than D, it jumps to step S860, and if D [ j ] is less than or equal to D, it jumps to step S870, where 1< ═ j < ═ m.
Step S860: and updating the List _ imei by using the corresponding device number in the D, and storing the device number into the abnormal device library.
Step S870: and discarding the corresponding device number in the D.
Step S880: and judging whether the corresponding equipment numbers in the updated List _ imei are all in the equipment library, if so, skipping to the step S890, and if not, skipping to the step S830.
Step S890: and finishing the algorithm.
Taking the scenario shown in fig. 7 as an example, assuming that m is 1, n is 2, and d is 0.72, the tag propagation process may be: searching a maximum value except a diagonal line from the row of the device 3 in the propagation matrix, obtaining D [ m ] = {0.82}, sequentially comparing the values in D [ m ] to the size of D ═ 0.72, when m ═ 1, D [ m ] only has one value D [1], and D [1] ═ 0.82> D ═ 0.72, storing the device 5 corresponding to D [1] in the abnormal device library, and completing the propagation process of the first propagation layer; and updating the List _ imei by using the device 5, searching for the maximum value except the diagonal line from the rows of the device 3 and the device 5 in the propagation matrix, repeating the steps, updating the List _ imei to obtain the List _ imei, namely the device 3 and the device 5, judging that the corresponding device number in the updated List _ imei is in the device library, and ending the algorithm. Fig. 9 shows a graph of the result of the label propagation algorithm, in which circles corresponding to abnormal devices are shown in bold, and the devices 3 and 5 are abnormal devices obtained by the label propagation algorithm.
The parameters of the label propagation algorithm can be set according to actual conditions. The different parameters may also lead to different results of the propagation algorithm. For example, when m is 2, n is 2, and d is 0.72, as shown in fig. 10, the detected abnormal devices are devices 3 to 6 as a result of the above tag transmission algorithm.
It should be noted that the above scenario is only an exemplary illustration, and other methods for detecting an abnormality of a related device based on the propagation matrix also belong to the protection scope of the present exemplary embodiment.
In summary, in the present exemplary embodiment, the detected abnormal device and all associated devices associated with the abnormal device are obtained; generating a corresponding Laplace matrix according to the incidence relation between the abnormal equipment and the associated equipment and the incidence relation between the associated equipment; and improving the generated Laplace matrix through the identity matrix to obtain a propagation matrix, and detecting abnormal equipment in the related equipment based on the propagation matrix. On one hand, the example embodiment can perform abnormality detection on all devices related to the detected abnormal device, and improves the problem that the abnormal device avoids abnormality detection by simulating the behavior of a normal device. On the other hand, the laplacian matrix is also improved by the identity matrix in the present exemplary embodiment, so that in the detection process, the situation that the more the associated devices are, the more dangerous the associated devices are is considered, and the accuracy of abnormal device detection is improved. Meanwhile, according to the embodiment of the invention, a large number of training samples are not needed, all the related abnormal devices can be detected according to a small number of abnormal devices, and the collection of the characteristic data is not required to be adjusted according to the service change, so that the detection process is simplified, and the detection complexity is reduced.
In an exemplary embodiment, after detecting the abnormal device in the associated device, the abnormal device detection algorithm may be further perfected in combination with a supervised learning algorithm, so that the abnormal detection may be performed on the isolated device that is not associated with other devices. The specific implementation can be as follows: and taking the abnormal equipment and the abnormal equipment detected from the related equipment of the abnormal equipment as training samples, obtaining a classifier through supervised learning, and detecting the abnormal equipment through the classifier.
Exemplary embodiments of the present disclosure also provide an abnormal apparatus detecting device. As shown in fig. 11, the abnormal device detecting apparatus 1100 may include:
a relationship obtaining module 1110, configured to obtain the detected abnormal device and a device associated with the abnormal device;
a matrix generation module 1120, configured to generate a corresponding laplacian matrix according to an association relationship between the abnormal device and the associated device and an association relationship between the associated devices;
the device detecting module 1130 is configured to obtain a propagation matrix by improving the laplacian matrix through the identity matrix, and detect an abnormal device in the associated device based on the propagation matrix.
In an exemplary embodiment, the relationship obtaining module may include an obtaining unit and a searching unit. The acquisition unit is used for acquiring the detected abnormal equipment in the system; the search unit is used for traversing all the devices in the system to obtain all the associated devices which have the association relation with the abnormal device.
In an exemplary embodiment, the matrix generation module may include an analysis unit and a calculation unit. The analysis unit is used for analyzing and obtaining a direct association relation between the abnormal equipment and each piece of associated equipment and generating a corresponding adjacent matrix and a degree matrix of the adjacent matrix; the calculation unit is used for calculating and obtaining a Laplace matrix based on the adjacent matrix and the degree matrix.
In an exemplary embodiment, the device detection module may include an improvement unit and a detection unit. The improvement unit is used for improving the generated Laplace matrix to obtain a propagation matrix, and the specific improvement process is described in detail in the corresponding steps of the method; the detection unit is used for detecting abnormal equipment in the associated equipment based on the propagation matrix.
In an exemplary embodiment, the abnormal device detecting apparatus further includes a training module. The training module can be used for obtaining a classifier by taking the abnormal equipment and the abnormal equipment detected from the related equipment of the abnormal equipment as training samples through supervised learning, and detecting the abnormal equipment through the classifier.
The specific details of each module in the above apparatus have been described in detail in the method section, and details that are not disclosed may refer to the method section, and thus are not described again.
As will be appreciated by one skilled in the art, aspects of the present disclosure may be embodied as a system, method or program product. Accordingly, various aspects of the present disclosure may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
Exemplary embodiments of the present disclosure also provide a computer-readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, various aspects of the disclosure may also be implemented in the form of a program product including program code for causing a terminal device to perform the steps according to various exemplary embodiments of the disclosure described in the above-mentioned "exemplary methods" section of this specification, when the program product is run on the terminal device, for example, any one or more of the steps in fig. 3 to 10 may be performed.
Exemplary embodiments of the present disclosure also provide a program product for implementing the above method, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present disclosure is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This disclosure is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is to be limited only by the terms of the appended claims.

Claims (10)

1. An abnormal device detection method, comprising:
acquiring detected abnormal equipment and associated equipment of the abnormal equipment;
generating a corresponding Laplace matrix according to the incidence relation between the abnormal equipment and the associated equipment and the incidence relation between the associated equipment;
and improving the Laplace matrix through an identity matrix to obtain a propagation matrix, and detecting abnormal equipment in the associated equipment based on the propagation matrix.
2. The abnormal device detecting method according to claim 1, wherein the acquiring the detected abnormal device and the associated device of the abnormal device includes:
acquiring an environment identifier of the detected abnormal equipment, and searching all the associated equipment associated with the abnormal equipment according to the environment identifier;
wherein the environment identification comprises at least one of a device account number or a network protocol address.
3. The abnormal device detection method according to claim 2, wherein the searching out all the associated devices associated with the abnormal device according to the environment identification comprises:
and searching all the associated equipment associated with the abnormal equipment by deep traversal by taking the abnormal equipment as a starting point according to the environment identification.
4. The abnormal device detection method according to claim 1, wherein the generating a corresponding laplacian matrix according to the association relationship between the abnormal device and the associated device and the association relationship between the associated devices comprises:
calculating to obtain an adjacent matrix corresponding to the abnormal equipment and the associated equipment and a degree matrix of the adjacent matrix according to the association relationship between the abnormal equipment and the associated equipment and the association relationship between the associated equipment;
generating the Laplace matrix based on the adjacency matrix and the degree matrix.
5. The abnormal device detection method according to claim 4, wherein the laplacian matrix is a regularized laplacian matrix;
the improving the laplacian by an identity matrix to obtain a propagation matrix comprises:
and replacing the unit diagonal matrix in the regularized Laplace with a unit matrix, and right-multiplying the adjacent matrix to obtain the propagation matrix.
6. The abnormal device detecting method according to claim 1, wherein the detecting of the abnormal device in the associated devices based on the propagation matrix includes:
and acquiring the similarity among the devices according to the propagation matrix, and detecting abnormal devices in the associated devices through a label propagation algorithm based on the similarity.
7. The abnormal device detecting method according to claim 6, wherein after said detecting an abnormal device among the associated devices based on the propagation matrix, the method further comprises:
and taking the abnormal equipment and the abnormal equipment detected from the associated equipment as training samples, obtaining a classifier through supervised learning, and detecting the abnormal equipment through the classifier.
8. An abnormal device detection apparatus, comprising:
the relation acquisition module is used for acquiring the detected abnormal equipment and the associated equipment of the abnormal equipment;
a matrix generation module, configured to generate a corresponding laplacian matrix according to an association relationship between the abnormal device and the associated device and an association relationship between the associated devices;
and the equipment detection module is used for improving the Laplace matrix through an identity matrix to obtain a propagation matrix and detecting abnormal equipment in the associated equipment based on the propagation matrix.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method of any one of claims 1 to 7.
10. An electronic device, comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the method of any of claims 1 to 7 via execution of the executable instructions.
CN202010968051.9A 2020-09-15 2020-09-15 Abnormal equipment detection method and device, storage medium and electronic equipment Active CN112035334B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010968051.9A CN112035334B (en) 2020-09-15 2020-09-15 Abnormal equipment detection method and device, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010968051.9A CN112035334B (en) 2020-09-15 2020-09-15 Abnormal equipment detection method and device, storage medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN112035334A true CN112035334A (en) 2020-12-04
CN112035334B CN112035334B (en) 2023-01-31

Family

ID=73590221

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010968051.9A Active CN112035334B (en) 2020-09-15 2020-09-15 Abnormal equipment detection method and device, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN112035334B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115795329A (en) * 2023-02-06 2023-03-14 佰聆数据股份有限公司 Power utilization abnormal behavior analysis method and device based on big data grid
CN117150388A (en) * 2023-11-01 2023-12-01 江西现代职业技术学院 Abnormal state detection method and system for automobile chassis

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103323742A (en) * 2013-05-31 2013-09-25 华北电力大学 System and method for grid fault identification based on random point distribution PMU
CN104678261A (en) * 2015-03-26 2015-06-03 重庆大学 Device and method for detecting corrosion state of grounding grid
US20150226781A1 (en) * 2014-02-07 2015-08-13 Mitsubishi Electric Research Laboratories, Inc. Method for Fault Location Analysis of Ungrounded Distribution Systems
CN106021062A (en) * 2016-05-06 2016-10-12 广东电网有限责任公司珠海供电局 A relevant failure prediction method and system
WO2018103453A1 (en) * 2016-12-07 2018-06-14 华为技术有限公司 Network detection method and apparatus
US20200137083A1 (en) * 2018-10-24 2020-04-30 Nec Laboratories America, Inc. Unknown malicious program behavior detection using a graph neural network
CN111401514A (en) * 2020-02-13 2020-07-10 山东师范大学 Semi-supervised symbol network embedding method and system based on improved graph convolutional network
CN111597070A (en) * 2020-07-27 2020-08-28 北京必示科技有限公司 Fault positioning method and device, electronic equipment and storage medium
CN111625435A (en) * 2020-05-21 2020-09-04 苏州浪潮智能科技有限公司 Server analysis method, device and equipment and computer readable storage medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103323742A (en) * 2013-05-31 2013-09-25 华北电力大学 System and method for grid fault identification based on random point distribution PMU
US20150226781A1 (en) * 2014-02-07 2015-08-13 Mitsubishi Electric Research Laboratories, Inc. Method for Fault Location Analysis of Ungrounded Distribution Systems
CN104678261A (en) * 2015-03-26 2015-06-03 重庆大学 Device and method for detecting corrosion state of grounding grid
CN106021062A (en) * 2016-05-06 2016-10-12 广东电网有限责任公司珠海供电局 A relevant failure prediction method and system
WO2018103453A1 (en) * 2016-12-07 2018-06-14 华为技术有限公司 Network detection method and apparatus
US20200137083A1 (en) * 2018-10-24 2020-04-30 Nec Laboratories America, Inc. Unknown malicious program behavior detection using a graph neural network
CN111401514A (en) * 2020-02-13 2020-07-10 山东师范大学 Semi-supervised symbol network embedding method and system based on improved graph convolutional network
CN111625435A (en) * 2020-05-21 2020-09-04 苏州浪潮智能科技有限公司 Server analysis method, device and equipment and computer readable storage medium
CN111597070A (en) * 2020-07-27 2020-08-28 北京必示科技有限公司 Fault positioning method and device, electronic equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
孙亚: "基于分层理论的电网故障诊断及脆弱性评估方法研究", 《中国优秀硕士学位论文全文数据库》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115795329A (en) * 2023-02-06 2023-03-14 佰聆数据股份有限公司 Power utilization abnormal behavior analysis method and device based on big data grid
CN115795329B (en) * 2023-02-06 2023-04-11 佰聆数据股份有限公司 Power utilization abnormal behavior analysis method and device based on big data grid
CN117150388A (en) * 2023-11-01 2023-12-01 江西现代职业技术学院 Abnormal state detection method and system for automobile chassis
CN117150388B (en) * 2023-11-01 2024-01-26 江西现代职业技术学院 Abnormal state detection method and system for automobile chassis

Also Published As

Publication number Publication date
CN112035334B (en) 2023-01-31

Similar Documents

Publication Publication Date Title
CN111461089B (en) Face detection method, and training method and device of face detection model
Zhu et al. Android malware detection based on multi-head squeeze-and-excitation residual network
CN112035334B (en) Abnormal equipment detection method and device, storage medium and electronic equipment
CN113407850B (en) Method and device for determining and acquiring virtual image and electronic equipment
CN110730164B (en) Safety early warning method, related equipment and computer readable storage medium
CN112214775A (en) Injection type attack method and device for graph data, medium and electronic equipment
CN111327607A (en) Security threat information management method, system, storage medium and terminal based on big data
CN113033966A (en) Risk target identification method and device, electronic equipment and storage medium
EP3037985A1 (en) Search method and system, search engine and client
CN114648675A (en) Countermeasure training method, image processing method, apparatus, device, and medium
CN116935083B (en) Image clustering method and device
US20220321598A1 (en) Method of processing security information, device and storage medium
CN116578925A (en) Behavior prediction method, device and storage medium based on feature images
CN113746780A (en) Abnormal host detection method, device, medium and equipment based on host image
CN117011581A (en) Image recognition method, medium, device and computing equipment
CN115906064A (en) Detection method, detection device, electronic equipment and computer readable medium
CN110991566B (en) Method and device for diagnosing fault of wind driven generator in information fusion mode
CN113780318B (en) Method, device, server and medium for generating prompt information
CN114124460A (en) Industrial control system intrusion detection method and device, computer equipment and storage medium
Li Research on Smartphone Trojan Detection Based on the Wireless Sensor Network
CN117478434B (en) Edge node network traffic data processing method, device, equipment and medium
CN110413603A (en) Determination method, apparatus, electronic equipment and the computer storage medium of repeated data
KR102471731B1 (en) A method of managing network security for users
Kumaran et al. ANOMALY DETECTION IN WIRELESS DEVICES USING CHANGE POINT ANALYSIS
CN115809905A (en) Object credibility assessment method and device and related products

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant